1 /* $OpenBSD$ */
2 /*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "tls_compat.h"
19
20 #ifdef USUAL_LIBSSL_FOR_TLS
21
22 #include <ctype.h>
23
24 #include "tls_internal.h"
25
26 static int
set_string(const char ** dest,const char * src)27 set_string(const char **dest, const char *src)
28 {
29 free((char *)*dest);
30 *dest = NULL;
31 if (src != NULL)
32 if ((*dest = strdup(src)) == NULL)
33 return -1;
34 return 0;
35 }
36
37 static void *
memdup(const void * in,size_t len)38 memdup(const void *in, size_t len)
39 {
40 void *out;
41
42 if ((out = malloc(len)) == NULL)
43 return NULL;
44 memcpy(out, in, len);
45 return out;
46 }
47
48 static int
set_mem(char ** dest,size_t * destlen,const void * src,size_t srclen)49 set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
50 {
51 free(*dest);
52 *dest = NULL;
53 *destlen = 0;
54 if (src != NULL)
55 if ((*dest = memdup(src, srclen)) == NULL)
56 return -1;
57 *destlen = srclen;
58 return 0;
59 }
60
61 static struct tls_keypair *
tls_keypair_new(void)62 tls_keypair_new(void)
63 {
64 return calloc(1, sizeof(struct tls_keypair));
65 }
66
67 static int
tls_keypair_set_cert_file(struct tls_keypair * keypair,const char * cert_file)68 tls_keypair_set_cert_file(struct tls_keypair *keypair, const char *cert_file)
69 {
70 return set_string(&keypair->cert_file, cert_file);
71 }
72
73 static int
tls_keypair_set_cert_mem(struct tls_keypair * keypair,const uint8_t * cert,size_t len)74 tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
75 size_t len)
76 {
77 return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
78 }
79
80 static int
tls_keypair_set_key_file(struct tls_keypair * keypair,const char * key_file)81 tls_keypair_set_key_file(struct tls_keypair *keypair, const char *key_file)
82 {
83 return set_string(&keypair->key_file, key_file);
84 }
85
86 static int
tls_keypair_set_key_mem(struct tls_keypair * keypair,const uint8_t * key,size_t len)87 tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
88 size_t len)
89 {
90 if (keypair->key_mem != NULL)
91 explicit_bzero(keypair->key_mem, keypair->key_len);
92 return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
93 }
94
95 static void
tls_keypair_clear(struct tls_keypair * keypair)96 tls_keypair_clear(struct tls_keypair *keypair)
97 {
98 tls_keypair_set_cert_mem(keypair, NULL, 0);
99 tls_keypair_set_key_mem(keypair, NULL, 0);
100 }
101
102 static void
tls_keypair_free(struct tls_keypair * keypair)103 tls_keypair_free(struct tls_keypair *keypair)
104 {
105 if (keypair == NULL)
106 return;
107
108 tls_keypair_clear(keypair);
109
110 free((char *)keypair->cert_file);
111 free(keypair->cert_mem);
112 free((char *)keypair->key_file);
113 free(keypair->key_mem);
114
115 free(keypair);
116 }
117
118 struct tls_config *
tls_config_new(void)119 tls_config_new(void)
120 {
121 struct tls_config *config;
122
123 if ((config = calloc(1, sizeof(*config))) == NULL)
124 return (NULL);
125
126 if ((config->keypair = tls_keypair_new()) == NULL)
127 goto err;
128
129 /*
130 * Default configuration.
131 */
132 if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
133 goto err;
134 if (tls_config_set_dheparams(config, "none") != 0)
135 goto err;
136 if (tls_config_set_ecdhecurve(config, "auto") != 0)
137 goto err;
138 if (tls_config_set_ciphers(config, "secure") != 0)
139 goto err;
140
141 tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
142 tls_config_set_verify_depth(config, 6);
143
144 tls_config_prefer_ciphers_server(config);
145
146 tls_config_verify(config);
147
148 return (config);
149
150 err:
151 tls_config_free(config);
152 return (NULL);
153 }
154
155 void
tls_config_free(struct tls_config * config)156 tls_config_free(struct tls_config *config)
157 {
158 struct tls_keypair *kp, *nkp;
159
160 if (config == NULL)
161 return;
162
163 for (kp = config->keypair; kp != NULL; kp = nkp) {
164 nkp = kp->next;
165 tls_keypair_free(kp);
166 }
167
168 free(config->error.msg);
169
170 free((char *)config->ca_file);
171 free((char *)config->ca_mem);
172 free((char *)config->ca_path);
173 free((char *)config->ciphers);
174
175 free(config);
176 }
177
178 const char *
tls_config_error(struct tls_config * config)179 tls_config_error(struct tls_config *config)
180 {
181 return config->error.msg;
182 }
183
184 void
tls_config_clear_keys(struct tls_config * config)185 tls_config_clear_keys(struct tls_config *config)
186 {
187 struct tls_keypair *kp;
188
189 for (kp = config->keypair; kp != NULL; kp = kp->next)
190 tls_keypair_clear(kp);
191
192 tls_config_set_ca_mem(config, NULL, 0);
193 }
194
195 int
tls_config_parse_protocols(uint32_t * protocols,const char * protostr)196 tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
197 {
198 uint32_t proto, protos = 0;
199 char *s, *p, *q;
200 int negate;
201
202 if ((s = strdup(protostr)) == NULL)
203 return (-1);
204
205 q = s;
206 while ((p = strsep(&q, ",:")) != NULL) {
207 while (*p == ' ' || *p == '\t')
208 p++;
209
210 negate = 0;
211 if (*p == '!') {
212 negate = 1;
213 p++;
214 }
215
216 if (negate && protos == 0)
217 protos = TLS_PROTOCOLS_ALL;
218
219 proto = 0;
220 if (strcasecmp(p, "all") == 0 ||
221 strcasecmp(p, "legacy") == 0)
222 proto = TLS_PROTOCOLS_ALL;
223 else if (strcasecmp(p, "default") == 0 ||
224 strcasecmp(p, "secure") == 0)
225 proto = TLS_PROTOCOLS_DEFAULT;
226 if (strcasecmp(p, "tlsv1") == 0)
227 proto = TLS_PROTOCOL_TLSv1;
228 else if (strcasecmp(p, "tlsv1.0") == 0)
229 proto = TLS_PROTOCOL_TLSv1_0;
230 else if (strcasecmp(p, "tlsv1.1") == 0)
231 proto = TLS_PROTOCOL_TLSv1_1;
232 else if (strcasecmp(p, "tlsv1.2") == 0)
233 proto = TLS_PROTOCOL_TLSv1_2;
234 else if (strcasecmp(p, "tlsv1.3") == 0)
235 proto = TLS_PROTOCOL_TLSv1_3;
236
237 if (proto == 0) {
238 free(s);
239 return (-1);
240 }
241
242 if (negate)
243 protos &= ~proto;
244 else
245 protos |= proto;
246 }
247
248 *protocols = protos;
249
250 free(s);
251
252 return (0);
253 }
254
255 int
tls_config_set_ca_file(struct tls_config * config,const char * ca_file)256 tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
257 {
258 return set_string(&config->ca_file, ca_file);
259 }
260
261 int
tls_config_set_ca_path(struct tls_config * config,const char * ca_path)262 tls_config_set_ca_path(struct tls_config *config, const char *ca_path)
263 {
264 return set_string(&config->ca_path, ca_path);
265 }
266
267 int
tls_config_set_ca_mem(struct tls_config * config,const uint8_t * ca,size_t len)268 tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
269 {
270 return set_mem(&config->ca_mem, &config->ca_len, ca, len);
271 }
272
273 int
tls_config_set_cert_file(struct tls_config * config,const char * cert_file)274 tls_config_set_cert_file(struct tls_config *config, const char *cert_file)
275 {
276 return tls_keypair_set_cert_file(config->keypair, cert_file);
277 }
278
279 int
tls_config_set_cert_mem(struct tls_config * config,const uint8_t * cert,size_t len)280 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
281 size_t len)
282 {
283 return tls_keypair_set_cert_mem(config->keypair, cert, len);
284 }
285
286 int
tls_config_set_ciphers(struct tls_config * config,const char * ciphers)287 tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
288 {
289 SSL_CTX *ssl_ctx = NULL;
290
291 if (ciphers == NULL ||
292 strcasecmp(ciphers, "default") == 0 ||
293 strcasecmp(ciphers, "secure") == 0)
294 ciphers = TLS_CIPHERS_DEFAULT;
295 else if (strcasecmp(ciphers, "compat") == 0 ||
296 strcasecmp(ciphers, "legacy") == 0)
297 ciphers = TLS_CIPHERS_COMPAT;
298 else if (strcasecmp(ciphers, "insecure") == 0 ||
299 strcasecmp(ciphers, "all") == 0)
300 ciphers = TLS_CIPHERS_ALL;
301 else if (strcasecmp(ciphers, "normal") == 0)
302 ciphers = TLS_CIPHERS_NORMAL;
303 else if (strcasecmp(ciphers, "fast") == 0)
304 ciphers = TLS_CIPHERS_FAST;
305
306 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
307 tls_config_set_errorx(config, "out of memory");
308 goto fail;
309 }
310 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
311 tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
312 goto fail;
313 }
314
315 SSL_CTX_free(ssl_ctx);
316 return set_string(&config->ciphers, ciphers);
317
318 fail:
319 SSL_CTX_free(ssl_ctx);
320 return -1;
321 }
322
323 int
tls_config_set_dheparams(struct tls_config * config,const char * params)324 tls_config_set_dheparams(struct tls_config *config, const char *params)
325 {
326 int keylen;
327
328 if (params == NULL || strcasecmp(params, "none") == 0)
329 keylen = 0;
330 else if (strcasecmp(params, "auto") == 0)
331 keylen = -1;
332 else if (strcasecmp(params, "legacy") == 0)
333 keylen = 1024;
334 else {
335 tls_config_set_errorx(config, "invalid dhe param '%s'", params);
336 return (-1);
337 }
338
339 config->dheparams = keylen;
340
341 return (0);
342 }
343
344 int
tls_config_set_ecdhecurve(struct tls_config * config,const char * name)345 tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
346 {
347 int nid;
348
349 if (name == NULL || strcasecmp(name, "none") == 0)
350 nid = NID_undef;
351 else if (strcasecmp(name, "auto") == 0)
352 nid = -1;
353 else if ((nid = OBJ_txt2nid(name)) == NID_undef) {
354 tls_config_set_errorx(config, "invalid ecdhe curve '%s'", name);
355 return (-1);
356 }
357
358 config->ecdhecurve = nid;
359
360 return (0);
361 }
362
363 int
tls_config_set_key_file(struct tls_config * config,const char * key_file)364 tls_config_set_key_file(struct tls_config *config, const char *key_file)
365 {
366 return tls_keypair_set_key_file(config->keypair, key_file);
367 }
368
369 int
tls_config_set_key_mem(struct tls_config * config,const uint8_t * key,size_t len)370 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
371 size_t len)
372 {
373 return tls_keypair_set_key_mem(config->keypair, key, len);
374 }
375
376 int
tls_config_set_keypair_file(struct tls_config * config,const char * cert_file,const char * key_file)377 tls_config_set_keypair_file(struct tls_config *config,
378 const char *cert_file, const char *key_file)
379 {
380 if (tls_config_set_cert_file(config, cert_file) != 0)
381 return (-1);
382 if (tls_config_set_key_file(config, key_file) != 0)
383 return (-1);
384
385 return (0);
386 }
387
388 int
tls_config_set_keypair_mem(struct tls_config * config,const uint8_t * cert,size_t cert_len,const uint8_t * key,size_t key_len)389 tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert,
390 size_t cert_len, const uint8_t *key, size_t key_len)
391 {
392 if (tls_config_set_cert_mem(config, cert, cert_len) != 0)
393 return (-1);
394 if (tls_config_set_key_mem(config, key, key_len) != 0)
395 return (-1);
396
397 return (0);
398 }
399
400 int
tls_config_set_ocsp_stapling_file(struct tls_config * config,const char * blob_file)401 tls_config_set_ocsp_stapling_file(struct tls_config *config, const char *blob_file)
402 {
403 if (blob_file != NULL)
404 tls_config_set_ocsp_stapling_mem(config, NULL, 0);
405
406 return set_string(&config->ocsp_file, blob_file);
407 }
408
409 int
tls_config_set_ocsp_stapling_mem(struct tls_config * config,const uint8_t * blob,size_t len)410 tls_config_set_ocsp_stapling_mem(struct tls_config *config, const uint8_t *blob, size_t len)
411 {
412 if (blob != NULL)
413 tls_config_set_ocsp_stapling_file(config, NULL);
414
415 return set_mem(&config->ocsp_mem, &config->ocsp_len, blob, len);
416 }
417
418 void
tls_config_set_protocols(struct tls_config * config,uint32_t protocols)419 tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
420 {
421 config->protocols = protocols;
422 }
423
424 void
tls_config_set_verify_depth(struct tls_config * config,int verify_depth)425 tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
426 {
427 config->verify_depth = verify_depth;
428 }
429
430 void
tls_config_prefer_ciphers_client(struct tls_config * config)431 tls_config_prefer_ciphers_client(struct tls_config *config)
432 {
433 config->ciphers_server = 0;
434 }
435
436 void
tls_config_prefer_ciphers_server(struct tls_config * config)437 tls_config_prefer_ciphers_server(struct tls_config *config)
438 {
439 config->ciphers_server = 1;
440 }
441
442 void
tls_config_insecure_noverifycert(struct tls_config * config)443 tls_config_insecure_noverifycert(struct tls_config *config)
444 {
445 config->verify_cert = 0;
446 }
447
448 void
tls_config_insecure_noverifyname(struct tls_config * config)449 tls_config_insecure_noverifyname(struct tls_config *config)
450 {
451 config->verify_name = 0;
452 }
453
454 void
tls_config_insecure_noverifytime(struct tls_config * config)455 tls_config_insecure_noverifytime(struct tls_config *config)
456 {
457 config->verify_time = 0;
458 }
459
460 void
tls_config_verify(struct tls_config * config)461 tls_config_verify(struct tls_config *config)
462 {
463 config->verify_cert = 1;
464 config->verify_name = 1;
465 config->verify_time = 1;
466 }
467
468 void
tls_config_verify_client(struct tls_config * config)469 tls_config_verify_client(struct tls_config *config)
470 {
471 config->verify_client = 1;
472 }
473
474 void
tls_config_verify_client_optional(struct tls_config * config)475 tls_config_verify_client_optional(struct tls_config *config)
476 {
477 config->verify_client = 2;
478 }
479
480 #endif /* USUAL_LIBSSL_FOR_TLS */
481